Setting up worker node disk encryption for VPC clusters

Virtual Private Cloud

By default, the one primary disk of VPC worker nodes is AES-256 bit encrypted at rest by the underlying VPC infrastructure provider.

You can manage the encryption of the worker nodes by enabling a KMS provider at the worker pool level.

1. Create a KMS instance and root key.

2. Make sure that you have the following service authorization policies in IBM Cloud IAM, created under the account where the KMS instance resides, with the following details:

   • Required service access policy for Kubernetes Service and the KMS provider
     1. Set the Source account for This account if the cluster you want to authorize accessing KMS resides in the current account, otherwise if the cluster located under a different account, select Other account and provide the account ID.
     2. Set the Source service to Kubernetes Service.
     3. Set the Target service to your KMS provider, such as Key Protect.
     4. Include at least Reader service access.
     5. Enable the authorization to be delegated by the source and dependent services.
   • Required service access policy for Cloud Block Storage and the KMS provider
     1. Set the Source account for This account if the cluster you want to authorize accessing KMS resides in the current account, otherwise if the cluster located under a different account, select Other account and provide the account ID.
     2. Set the Source service to Cloud Block Storage.
     3. Set the Target service to your KMS provider, such as Key Protect.
     4. Include at least Reader service access.

   Red Hat OpenShift on IBM Cloud automatically creates a service-to-service delegation policy for the Cloud Block Storage service in the IBM-managed service account to the KMS provider instance under the account where the KMS instance and CRK reside. This delegation policy is required so that the VPC infrastructure can encrypt the boot volume of the worker nodes in the IBM-managed service account with your customer-provided root key of the KMS provider.

3. Create a cluster or worker pool that includes the account where the KMS instance resides, the KMS provider instance and root key. Each worker node in the worker pool then is encrypted by the KMS provider that you manage. Each worker pool in your cluster can use the same KMS instance and root key, the same KMS instance with different root keys, or different instances.

   • Creating a cluster: Only the default worker pool's nodes are encrypted. After you create the cluster, if you create more worker pools, you must enable encryption in each pool separately. For more information, see Creating clusters or the CLI reference documentation.

   • Creating a worker pool: For more information, see Creating VPC worker pools or the CLI reference documentation.

4. Verify that your worker pool is encrypted by reviewing the worker pool details.

   • UI: After selecting your cluster from the Red Hat OpenShift clusters console, click Worker pools. Then, click your worker pool.
   • CLI: Review the KMS and CRK fields in the output of the following command.

     ibmcloud oc worker-pool get --name <worker_pool_name> --cluster <cluster_name_or_ID>
     

5. Optional: Rotate the root key periodically per your company's security compliance guidelines. For more information, see the Managing encryption topic in the VPC documentation.

   Do not delete your KMS instance. You can't change the KMS instance that is used to encrypt the worker pool. If you disable or delete the root key, your worker nodes enter a critical state until you restore the root key and reboot the worker nodes.

The encryption for the disks of the worker nodes in your worker pool are now managed by the root key in your KMS provider. If you created a cluster, the worker pool is the default worker pool.